Whistle-blowing Scientists (Trying To Prevent Dangerous Products From Reaching The Market) Sue FDA For Snooping On Their Personal Email Accounts

from the shameful-suppression dept

Last year, we wrote about the federal whistle-blowing act, which was designed to give protections to federal employees who blow the whistle on federal fraud and abuse. For reasons that still aren't clear, that bill was killed by a secret hold by either Senators Jon Kyl or Jeff Sessions. That fact only came out due to an amazing effort by the folks at On The Media, who kept hounding all 100 Senators to find out who would possibly kill such a bill. Recently, On The Media revisited the topic, noting that there was a new version of the bill. The report also talks about just how vindictive the government has been against whistleblowers. Even as President Obama has insisted that whistleblowers are important and should be protected, that's not what's happening in real life, with many getting stripped of their responsibility and demoted -- all for daring to point out waste, fraud and abuse. The worst example to date, remains the horrifying story of Thomas Drake, who was threatened with 35 years in jail in a bogus vindictive lawsuit against him, due to his blowing the whistle on a bogus NSA project.

More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn't actually meet health and safety standards. The scientists reached out to Congress to blow the whistle... and in response, the FDA started spying on their personal emails. Yes, it does appear that these scientists were accessing their personal Gmail accounts from work computers, and using them to work with Congressional staffers to craft their whistleblowing complaint, but does that give the FDA the right to spy on their personal communications? The doctors, via their lawsuit, believe the answer is no.

The FDA is defending its actions by claiming that this whistleblowing involved "improperly disclosed confidential business information about the devices," and it wanted an investigation of the doctors involved. That sounds ridiculous. Or, perhaps, all too typical. It seems clear that the FDA bosses just didn't like the fact that some folks there blew the whistle on what they were doing and took vindictive actions. This is exactly the kind of thing that a Whistle Blower Act should protect. That it doesn't do so already is really a shame.

Re:

It is just sad that there is even the need for whistleblowers. What ever happened to just trying to do the right thing? You can get paid for doing good things as well as bad things - but so many people prefer to do the wrong things.

Re:

it does appear that these scientists were accessing their personal Gmail accounts from work computers

As a former network admin I had to deal with this fine line quite a bit, but I also believe there is a fair amount of precedent stating that the company owns the network and thus can 'snoop' on any traffic on that network.

Additionally it would be good to get a look at the employee policy manual. Many companies explicitly state that employees have not expectation of privacy while using company computers/networks. Maybe that won't stand up in court, but that alone could thwart them.

I support what these whistle-blowers are doing, but they should have used their personal computers/mobile devices, not work computers.

Re: Re:

It is pretty straightforward to monitor SSL (https) using man-in-the-middle with a local organizational cert. Basically any 443 connection is encrypted to/from the workstation and the trusted monitoring device, then encrypted to/from the monitoring device and the originally requested site. This is done by having a local trusted cert on the workstations.

Since the organization owns/administers the local workstations, this isn't considered a broken chain of trust. The ethics of what is done with that information are an entirely different matter, and here there be dragons.

Are employees specifically aware of this capability? (I would suggest the standard "we can monitor anything" message is insufficient given the expectation that https connections are encrypted and reasonably secure.) Are exceptions made for banking sites and such? If not, how will the information gathered be secured? Tons of other issues are raised to the point that some organizations find it easier to just block https and be done with it.

If the organization somehow obtained and was using the employee's gmail password without the employee's knowledge, that violates plenty of laws, and any organization taking that approach could (rightly) be in deep doo-doo.

Re: Re: Re:

My company actually issues organizational certs to all of our workstations. Even with the "man-in-the-middle" attack you describe, a savvy employee could still possibly catch this one (since as you said, it is still a valid chain of trust), and I occasionally double-check certificates of websites I visit to make sure they are signed by an external certificate authority. To the best of my knowledge, my company hasn't turned on any https monitoring yet, even though they definitely can.

How they did it

The linked WaPo article gives more info. If I understood it correctly, software was installed on their computers to periodically take screenshots of their monitors and save them to a sekrit network directory.

Re:

Yeah, if you are using your work computer and network, expect it to be spied on. They don't turn the spybots off when you access gmail. But then they gotta get the evidence of wrongdoing from the work computer to the public somehow right? :)

Re: Re: Re: Re:

It would be simple to ensure no sanctioned devices can obtain an IP address on a computer network. Also, it would be extremely unlikely for them to not have a signed IT agreement for each employee that stated no foreign devices on the network.

Re: Re: Re: Re: Re:

Re: Re:

Or just use a personal smartphone/laptop at work

Many, if not most, government agencies outlaw or discourage the use of personal laptops while at the government facilities. Smartphones are prohibited in any sensitive areas as well. There are some facilities where employees are told to leave their smartphones and other personal devices in their cars.

Then again, the warning banner specifically says that they can monitor everything done on their systems. Best bet would be to drive your car outside of the fence and use your smartphone there, or use your laptop/desktop at home.

Re:

Except that the agreement doesn't mean anything until it is tested in the courts. Many websites, computers systems, and software come with agreements and clicking accept doesn't automatically make all the terms in those agreements legal.

The FDA is defending its actions by claiming that this whistleblowing involved "improperly disclosed confidential business information about the devices," and it wanted an investigation of the doctors involved.

So whistleblowing is fine, as long as you only use publicly available information to do it?

well

Why else do you think the president, the senate and congress are doing everything they can to stop whistleblowers?

Because as you clear corruption from lower levels, people are free to start whistleblowing on higher lvl massive (and slightly illegal) payments that businesses have been paying for years to ensure they get government contracts......

More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn't actually meet health and safety standards.

So, doctors who try to prevent illness (which should be all of them) are now considered a liability by the current medical system? I guess that makes sense, from an amoral pill-pusher's point of view.